On Wednesday, the U.S. Department of Justice (DoJ) announced the indictment of three alleged North Korean hackers, accused of orchestrating an extensive scheme to steal and extort over $1.3 billion in cash and cryptocurrencies from various businesses and financial institutions.
The indicted individuals—Jon Chang Hyok, 31; Kim Il, 27; and Park Jin Hyok, 36—are reportedly affiliated with North Korea’s Reconnaissance General Bureau. This division, commonly identified as the Lazarus Group, Hidden Cobra, or Advanced Persistent Threat 38 (APT 38), has been linked to numerous high-profile cyberattacks, including the notorious 2014 compromise of Sony Pictures Entertainment.
These hackers have been charged with developing and deploying malicious cryptocurrency applications and fraudulently promoting a blockchain platform. The indictment builds upon prior charges from 2018 against Park, tracing a pattern of sophisticated cybercriminal activity linked to the North Korean regime’s financial maneuvers.
A Comprehensive Cyber Assault
Assistant Attorney General John C. Demers described North Korean operatives as “the world’s leading bank robbers,” emphasizing their reliance on cyber techniques over traditional methods of theft. This indictment underscores the persistent threat posed by nation-state actors engaging in cybercrime to support financially insular regimes suffering from heavy international sanctions.
In announcing this indictment, the DoJ highlighted how the Lazarus Group leverages cryptocurrency heists to fund its activities, while simultaneously conducting a variety of cyberattacks targeting businesses and critical infrastructure. Since entering the U.S. sanctions list in 2019, the group has engaged in a range of illicit cyber activities, including the 2017 WannaCry ransomware outbreak and significant thefts from banking networks.
The indictment also reveals plans for creating a crypto-token named Marine Chain, designed to allow investments in shipping vessels. Ultimately, this initiative was purportedly a mechanism for illicit fund generation intended to support North Korea’s regime while circumventing sanctions.
The “AppleJeus” Backdoor Exploit
Integral to their operations, these hackers created malicious applications disguised as legitimate cryptocurrency trading platforms. Using a backdoor dubbed “AppleJeus,” they exploited these platforms to siphon funds from unsuspecting users. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) noted the emergence of numerous malware variants since 2018, underscoring a blend of phishing and social engineering tactics utilized to achieve initial access.
Attack vectors primarily targeted sectors such as energy, finance, government, industry, technology, and telecommunications, with malware capable of compromising both Windows and Mac operating systems. CISA has tracked multiple variants of the “AppleJeus” malware, solidifying its role as a method of attack among sophisticated adversaries.
Broader Implications and Collaborations
The indictment describes how the three operatives are believed to have operated from locations in China and Russia, with objectives aligned to advance North Korean strategic and financial interests. However, details on possible collaborations with local actors remain unspecified.
In a related case, the FBI has taken action to seize approximately $1.9 million in cryptocurrency allegedly stolen from a financial services organization based in New York. The case also revealed the involvement of a Canadian-American citizen named Ghaleb Alaumary, who pled guilty in relation to money laundering tied to North Korean cyber activities.
While extradition of the North Korean operatives remains unlikely, they face multiple charges related to computer fraud, wire fraud, and bank fraud. Alaumary’s conviction on money laundering carries a substantial potential sentence, highlighting the severe legal repercussions associated with cybercrime.
Acting U.S. Attorney Tracy L. Wilkison remarked on the extensive and varied nature of criminal conduct exploited by these operatives, framing their activities as emblematic of a rogue nation-state’s approach to cyber warfare. The indictment serves as a potent reminder of the ongoing cybersecurity threat landscape, where state-sponsored actors exploit sophisticated tactics, including initial access, persistence, and various forms of exfiltration, as outlined in the MITRE ATT&CK framework.
